|
 |
|
Linux Kernel URB and IPv6 Flowlabel Handling Denial of Service
|
|
|
|
|
Secunia Advisory:
|
SA16969
|
|
|
Release Date:
|
2005-09-27
|
|
Last Update:
|
2006-03-31
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
DoS
|
|
Where:
|
From local network
|
|
Solution Status:
|
Partial Fix
|
|
| OS: | Linux Kernel 2.6.x
|
|
| | CVE reference: | CVE-2005-2873 (Secunia mirror)
CVE-2005-3055 (Secunia mirror)
CVE-2005-3806 (Secunia mirror)
|
|
|
|
|
|
Description:
Two vulnerabilities, a security issue, and a weakness have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to cause a DoS.
1) An error in handling asynchronous USB access via usbdevio can be exploited to crash the kernel via a process that issues an URB (USB Request Block) from userspace and terminates before the URB returns.
Successful exploitation requires that the user has permissions to access an USB device.
2) An error in jiffies comparison in the "ipt_recent.c" netfilter module, when its value is greater than LONG_MAX, may cause ipt_recent netfilter rules to block too early.
3) An error in the IPv6 flowlabel handling code in "/net/ipv6/ip6_flowlabel.c" can be exploited by a local users to cause the kernel to free non-allocated memory. This corrupts kernel memory and can cause the system to crash.
4) The ICMP implementation responds to broadcast ECHO/TIMESTAMP requests by default. This can potentially be exploited to cause a DoS via a smurf attack.
Solution:
Vulnerability #1, #3 and #4 have been fixed in version 2.6.14.
Secunia is not currently aware of a fixed version for vulnerability #2.
Provided and/or discovered by:
1) Harald Welte
2) Juergen Kreileder
4) Tomasz Chomiuk
Changelog:
2005-11-11: Updated "Solution", "Solution Status" and "Original Advisory" sections.
2005-11-29: Added information of additional vulnerability. Added CVE reference, and updated "Name", "Description" and "Original Advisory" sections.
2006-03-31: Added information of additional weakness.
Original Advisory:
http://marc.theaimsgroup.com/?l=linux-kernel&m=112766129313883
http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/
Kernel.org:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.14
http://www.kernel.org/git/?p=linux/ke...13830a18847cff8da73005e57bc49c2f95a56
http://www.kernel.org/git/?p=linux/ke...6a8046bb49d43c950898f0cb4e1994ef6c89d
http://www.kernel.org/git/?p=linux/ke...312467edc270fcbd8a699efabb37ce1802b98
Red Hat Bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174081
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
151 Related Secunia Security Advisories, displaying 10
|
|
|
1. Linux Kernel "dccp_setsockopt_change()" Integer Overflow
|
|
2. Linux Kernel Information Disclosure and Denial of Service
|
|
3. Linux Kernel LDT Buffer Size Handling Vulnerability
|
|
4. Linux Kernel Multiple Vulnerabilities
|
|
5. Linux Kernel "pppol2tp_recvmsg()" Memory Corruption Vulnerability
|
|
6. Linux Kernel ASN.1 BER Decoding Vulnerability
|
|
7. Linux Kernel Unspecified Vulnerability
|
|
8. Linux Kernel Multiple Vulnerabilities
|
|
9. Linux Kernel "fcntl_setlk()" SMP Reordered Access Vulnerability
|
|
10. Linux Kernel Multiple Vulnerabilities
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
